From patchwork Sat Mar  9 15:52:19 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mathias Krause <minipli@googlemail.com>
X-Patchwork-Id: 226342
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 60B642C0348
	for <patchwork-incoming@ozlabs.org>;
	Sun, 10 Mar 2013 02:52:56 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932446Ab3CIPwp (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Sat, 9 Mar 2013 10:52:45 -0500
Received: from mail-bk0-f43.google.com ([209.85.214.43]:52243 "EHLO
	mail-bk0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932113Ab3CIPwo (ORCPT
	<rfc822;netdev@vger.kernel.org>); Sat, 9 Mar 2013 10:52:44 -0500
Received: by mail-bk0-f43.google.com with SMTP id jm19so1150704bkc.30
	for <netdev@vger.kernel.org>; Sat, 09 Mar 2013 07:52:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlemail.com; s=20120113;
	h=x-received:from:to:cc:subject:date:message-id:x-mailer:in-reply-to
	:references; bh=63xW10XT37RRQRyST5B5hXvC8v0YbEZ/ga14SHqCy+8=;
	b=tGyqpKY2TVkwvvWOfaejPnZjMe2WQ0VocDUvpAMD59BcnTfUx1QC+wLHhyxbsbsdNI
	eAtkGxmRSqH3dBWdwTnBDgzcRZYbAqSvreA7h4jg20ihgK4e+nw4LQ5+bf6N9GUrhBnh
	DBfbdUnB3Ooa8wzwacXjFx2FcLAQTu0z3p+uxioBVvO/I1/TUVQTFyWhSGt/PZzJue0u
	zBYctumdKM+SSfi31FRVFQ6agolqcvUaV3Kl5f/qAjGDnpb86fqXc1P10OipXqAFMW4l
	iilxqLYFbiJJdxZ4zVPJreW8RgahJRu/3ggvE0tWBBmhAgtpbUyIU52gCFcwREKBkx09
	FLXA==
X-Received: by 10.205.64.79 with SMTP id xh15mr2504273bkb.44.1362844362906;
	Sat, 09 Mar 2013 07:52:42 -0800 (PST)
Received: from jig.fritz.box (pD9EB38E4.dip.t-dialin.net. [217.235.56.228])
	by mx.google.com with ESMTPS id
	g28sm2455174bkv.17.2013.03.09.07.52.41
	(version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Sat, 09 Mar 2013 07:52:42 -0800 (PST)
From: Mathias Krause <minipli@googlemail.com>
To: "David S. Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org, Mathias Krause <minipli@googlemail.com>,
	Stephen Hemminger <stephen@networkplumber.org>
Subject: [PATCH 1/3] bridge: fix mdb info leaks
Date: Sat,  9 Mar 2013 16:52:19 +0100
Message-Id: <1362844341-12591-2-git-send-email-minipli@googlemail.com>
X-Mailer: git-send-email 1.7.10.4
In-Reply-To: <1362844341-12591-1-git-send-email-minipli@googlemail.com>
References: <1362844341-12591-1-git-send-email-minipli@googlemail.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

The bridging code discloses heap and stack bytes via the RTM_GETMDB
netlink interface and via the notify messages send to group RTNLGRP_MDB
afer a successful add/del.

Fix both cases by initializing all unset members/padding bytes with
memset(0).

Cc: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Mathias Krause <minipli@googlemail.com>
---
 net/bridge/br_mdb.c |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c
index 9f97b85..ee79f3f 100644
--- a/net/bridge/br_mdb.c
+++ b/net/bridge/br_mdb.c
@@ -80,6 +80,7 @@ static int br_mdb_fill_info(struct sk_buff *skb, struct netlink_callback *cb,
 				port = p->port;
 				if (port) {
 					struct br_mdb_entry e;
+					memset(&e, 0, sizeof(e));
 					e.ifindex = port->dev->ifindex;
 					e.state = p->state;
 					if (p->addr.proto == htons(ETH_P_IP))
@@ -136,6 +137,7 @@ static int br_mdb_dump(struct sk_buff *skb, struct netlink_callback *cb)
 				break;
 
 			bpm = nlmsg_data(nlh);
+			memset(bpm, 0, sizeof(*bpm));
 			bpm->ifindex = dev->ifindex;
 			if (br_mdb_fill_info(skb, cb, dev) < 0)
 				goto out;
@@ -171,6 +173,7 @@ static int nlmsg_populate_mdb_fill(struct sk_buff *skb,
 		return -EMSGSIZE;
 
 	bpm = nlmsg_data(nlh);
+	memset(bpm, 0, sizeof(*bpm));
 	bpm->family  = AF_BRIDGE;
 	bpm->ifindex = dev->ifindex;
 	nest = nla_nest_start(skb, MDBA_MDB);
@@ -228,6 +231,7 @@ void br_mdb_notify(struct net_device *dev, struct net_bridge_port *port,
 {
 	struct br_mdb_entry entry;
 
+	memset(&entry, 0, sizeof(entry));
 	entry.ifindex = port->dev->ifindex;
 	entry.addr.proto = group->proto;
 	entry.addr.u.ip4 = group->u.ip4;